NixOS · ElvishJerricco · Dec 24, 2024 · Dec 7, 2024
diff --git a/nixos/modules/system/boot/unl0kr.nix b/nixos/modules/system/boot/unl0kr.nix
@@ -15,7 +15,7 @@ in
       description = ''Whether to enable the unl0kr on-screen keyboard in initrd to unlock LUKS.'';
     };
 
-    package = lib.mkPackageOption pkgs "unl0kr" { };
+    package = lib.mkPackageOption pkgs "buffybox" { };
 
     allowVendorDrivers = lib.mkEnableOption "load optional drivers" // {
       description = ''Whether to load additional drivers for certain vendors (I.E: Wacom, Intel, etc.)'';
@@ -27,12 +27,13 @@ in
 
         See `unl0kr.conf(5)` for supported values.
 
-        Alternatively, visit `https://gitlab.com/postmarketOS/buffybox/-/blob/unl0kr-2.0.0/unl0kr.conf`
+        Alternatively, visit `https://gitlab.postmarketos.org/postmarketOS/buffybox/-/blob/3.2.0/unl0kr/unl0kr.conf`
       '';
 
       example = lib.literalExpression ''
         {
           general.animations = true;
+          general.backend = "drm";
           theme = {
             default = "pmos-dark";
             alternate = "pmos-light";
@@ -51,14 +52,15 @@ in
         assertion = cfg.enable -> config.boot.initrd.systemd.enable;
         message = "boot.initrd.unl0kr is only supported with boot.initrd.systemd.";
       }
-      {
-        assertion = !config.boot.plymouth.enable;
-        message = "unl0kr will not work if plymouth is enabled.";
-      }
-      {
-        assertion = !config.hardware.amdgpu.initrd.enable;
-        message = "unl0kr has issues with video drivers that are loaded on stage 1.";
-      }
+    ];
+
+    warnings = lib.mkMerge [
+      (lib.mkIf (config.hardware.amdgpu.initrd.enable) [
+        ''Use early video loading at your risk. It's not guaranteed to work with unl0kr.''
+      ])
+      (lib.mkIf (config.boot.plymouth.enable) [
+        ''Upstream clearly intends unl0kr to not run with Plymouth. Good luck''
+      ])
     ];
 
     boot.initrd.availableKernelModules =
@@ -83,65 +85,17 @@ in
     boot.initrd.systemd = {
       contents."/etc/unl0kr.conf".source = settingsFormat.generate "unl0kr.conf" cfg.settings;
       storePaths = with pkgs; [
-        "${pkgs.gnugrep}/bin/grep"
         libinput
         xkeyboard_config
-        "${config.boot.initrd.systemd.package}/lib/systemd/systemd-reply-password"
         (lib.getExe' cfg.package "unl0kr")
+        "${cfg.package}/libexec/unl0kr-agent"
       ];
-      services = {
-        unl0kr-ask-password = {
-          description = "Forward Password Requests to unl0kr";
-          conflicts = [
-            "emergency.service"
-            "initrd-switch-root.target"
-            "shutdown.target"
-          ];
-          unitConfig.DefaultDependencies = false;
-          after = [
-            "systemd-vconsole-setup.service"
-            "udev.service"
-          ];
-          before = [ "shutdown.target" ];
-          script = ''
-            # This script acts as a Password Agent: https://systemd.io/PASSWORD_AGENTS/
 
-            DIR=/run/systemd/ask-password/
-            # If a user has multiple encrypted disks, the requests might come in different times,
-            # so make sure to answer as many requests as we can. Once boot succeeds, other
-            # password agents will be responsible for watching for requests.
-            while [ -d $DIR ] && [ "$(ls -A $DIR/ask.*)" ];
-            do
-              for file in `ls $DIR/ask.*`; do
-                socket="$(cat "$file" | ${pkgs.gnugrep}/bin/grep "Socket=" | cut -d= -f2)"
-                ${lib.getExe' cfg.package "unl0kr"} -v -C "/etc/unl0kr.conf" | ${config.boot.initrd.systemd.package}/lib/systemd/systemd-reply-password 1 "$socket"
-              done
-            done
-          '';
-        };
-      };
+      packages = [
+        pkgs.buffybox
+      ];
 
-      paths = {
-        unl0kr-ask-password = {
-          description = "Forward Password Requests to unl0kr";
-          conflicts = [
-            "emergency.service"
-            "initrd-switch-root.target"
-            "shutdown.target"
-          ];
-          unitConfig.DefaultDependencies = false;
-          before = [
-            "shutdown.target"
-            "paths.target"
-            "cryptsetup.target"
-          ];
-          wantedBy = [ "sysinit.target" ];
-          pathConfig = {
-            DirectoryNotEmpty = "/run/systemd/ask-password";
-            MakeDirectory = true;
-          };
-        };
-      };
+      paths.unl0kr-agent.wantedBy = [ "local-fs-pre.target" ];
     };
   };
 }
diff --git a/nixos/tests/systemd-initrd-luks-unl0kr.nix b/nixos/tests/systemd-initrd-luks-unl0kr.nix
@@ -1,75 +1,109 @@
-import ./make-test-python.nix ({ lib, pkgs, ... }: let
-  passphrase = "secret";
-in {
-  name = "systemd-initrd-luks-unl0kr";
-  meta = {
-    maintainers = [];
-  };
+import ./make-test-python.nix (
+  { lib, pkgs, ... }:
+  let
+    passphrase = "secret";
 
-  enableOCR = true;
+    debugPackages = with pkgs; [
+      coreutils-prefixed
+      toybox
 
-  nodes.machine = { pkgs, ... }: {
-    virtualisation = {
-      emptyDiskImages = [ 512 512 ];
-      useBootLoader = true;
-      mountHostNixStore = true;
-      useEFIBoot = true;
-      qemu.options = [
-        "-vga virtio"
-      ];
+      micro
+      nano
+    ];
+  in
+  {
+    name = "systemd-initrd-luks-unl0kr";
+    meta = {
+      maintainers = [ ];
     };
-    boot.loader.systemd-boot.enable = true;
 
-    boot.initrd.availableKernelModules = [
-      "evdev" # for entering pw
-      "bochs"
-    ];
+    # TODO: Fix OCR: #302965
+    # enableOCR = true;
 
-    environment.systemPackages = with pkgs; [ cryptsetup ];
-    boot.initrd = {
-      systemd = {
-        enable = true;
-        emergencyAccess = true;
-      };
-      unl0kr.enable = true;
-    };
+    nodes.machine =
+      { pkgs, ... }:
+      {
+        virtualisation = {
+          emptyDiskImages = [
+            512
+            512
+          ];
+          useBootLoader = true;
+          mountHostNixStore = true;
+          useEFIBoot = true;
+          qemu.options = [
+            "-vga virtio"
+          ];
+        };
+        boot.loader.systemd-boot.enable = true;
+
+        boot.kernelParams = [
+          "rd.systemd.debug_shell"
+        ];
 
-    specialisation.boot-luks.configuration = {
-      boot.initrd.luks.devices = lib.mkVMOverride {
-        # We have two disks and only type one password - key reuse is in place
-        cryptroot.device = "/dev/vdb";
-        cryptroot2.device = "/dev/vdc";
+        environment.systemPackages =
+          with pkgs;
+          [
+            cryptsetup
+          ]
+          ++ debugPackages;
+        boot.initrd = {
+          systemd = {
+            enable = true;
+            emergencyAccess = true;
+
+            storePaths = debugPackages;
+          };
+          unl0kr = {
+            enable = true;
+
+            settings = {
+              general.backend = "drm";
+              # TODO: Fix OCR. See above.
+              # theme.default = "adwaita-dark"; # Improves contrast quite a bit, helpful for OCR.
+            };
+          };
+        };
+
+        specialisation.boot-luks.configuration = {
+          testing.initrdBackdoor = true;
+          boot.initrd.luks.devices = lib.mkVMOverride {
+            # We have two disks and only type one password - key reuse is in place
+            cryptroot.device = "/dev/vdb";
+            cryptroot2.device = "/dev/vdc";
+          };
+          virtualisation.rootDevice = "/dev/mapper/cryptroot";
+          virtualisation.fileSystems."/".autoFormat = true;
+          # test mounting device unlocked in initrd after switching root
+          virtualisation.fileSystems."/cryptroot2".device = "/dev/mapper/cryptroot2";
+        };
       };
-      virtualisation.rootDevice = "/dev/mapper/cryptroot";
-      virtualisation.fileSystems."/".autoFormat = true;
-      # test mounting device unlocked in initrd after switching root
-      virtualisation.fileSystems."/cryptroot2".device = "/dev/mapper/cryptroot2";
-    };
-  };
 
-  testScript = ''
-    # Create encrypted volume
-    machine.wait_for_unit("multi-user.target")
-    machine.succeed("echo -n ${passphrase} | cryptsetup luksFormat -q --iter-time=1 /dev/vdb -")
-    machine.succeed("echo -n ${passphrase} | cryptsetup luksFormat -q --iter-time=1 /dev/vdc -")
-    machine.succeed("echo -n ${passphrase} | cryptsetup luksOpen   -q               /dev/vdc cryptroot2")
-    machine.succeed("mkfs.ext4 /dev/mapper/cryptroot2")
+    testScript = ''
+      # Create encrypted volume
+      machine.wait_for_unit("multi-user.target")
+      machine.succeed("echo -n ${passphrase} | cryptsetup luksFormat -q --iter-time=1 /dev/vdb -")
+      machine.succeed("echo -n ${passphrase} | cryptsetup luksFormat -q --iter-time=1 /dev/vdc -")
+      machine.succeed("echo -n ${passphrase} | cryptsetup luksOpen   -q               /dev/vdc cryptroot2")
+      machine.succeed("mkfs.ext4 /dev/mapper/cryptroot2")
 
-    # Boot from the encrypted disk
-    machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf")
-    machine.succeed("sync")
-    machine.crash()
+      # Boot from the encrypted disk
+      machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf")
+      machine.succeed("sync")
+      machine.crash()
 
-    # Boot and decrypt the disk
-    machine.start()
-    machine.wait_for_text("Password required for booting")
-    machine.screenshot("prompt")
-    machine.send_chars("${passphrase}")
-    machine.screenshot("pw")
-    machine.send_chars("\n")
-    machine.wait_for_unit("multi-user.target")
+      # Boot and decrypt the disk. This part of the test is SLOW.
+      machine.start()
+      machine.wait_for_unit("unl0kr-agent.service")
+      machine.screenshot("prompt")
+      machine.send_chars("${passphrase}")
+      machine.screenshot("pw")
+      machine.send_chars("\n")
+      machine.switch_root()
+      machine.wait_for_unit("multi-user.target")
 
-    assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount"), "/dev/mapper/cryptroot do not appear in mountpoints list"
-    assert "/dev/mapper/cryptroot2 on /cryptroot2 type ext4" in machine.succeed("mount")
-  '';
-})
+      assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount"), "/dev/mapper/cryptroot do not appear in mountpoints list"
+      assert "/dev/mapper/cryptroot2 on /cryptroot2 type ext4" in machine.succeed("mount")
+    '';
+  }
+)
diff --git a/pkgs/by-name/un/unl0kr/package.nix b/pkgs/by-name/un/unl0kr/package.nix
diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix
@@ -1325,6 +1325,7 @@ mapAliases {
   unifi8 = unifi; # Added 2024-11-15
   unifiLTS = throw "'unifiLTS' has been removed since UniFi no longer has LTS and stable releases. Use `pkgs.unifi` instead."; # Added 2024-04-11
   unifiStable = throw "'unifiStable' has been removed since UniFi no longer has LTS and stable releases. Use `pkgs.unifi` instead."; # Converted to throw 2024-04-11
+  unl0kr = throw "'unl0kr' is now included with buffybox. Use `pkgs.buffybox` instead."; # Removed 2024-12-20
   untrunc = throw "'untrunc' has been renamed to/replaced by 'untrunc-anthwlock'"; # Converted to throw 2024-10-17
   urxvt_autocomplete_all_the_things = throw "'urxvt_autocomplete_all_the_things' has been renamed to/replaced by 'rxvt-unicode-plugins.autocomplete-all-the-things'"; # Converted to throw 2024-10-17
   urxvt_bidi = throw "'urxvt_bidi' has been renamed to/replaced by 'rxvt-unicode-plugins.bidi'"; # Converted to throw 2024-10-17